Too often when conducting security assessments we make some rather
telling discoveries. Many times businesses are not even aware that they
have problems and by then it may be too late. As part of our annual
security training we are taught to use the resources at our disposal to
maintain efficiency. We have come to rely on technology to speed up the
processing of medical claims, to place orders online and to maintain
required records for business use. Corporations create policies to try
and give guidance to employees and contractors in safe data handling as
well as enforcing strong passwords, policies on data storage and
handling as well as regulatory assistance in regards to Sarbanes Oxley,
HIPAA and Classified data handling. All of these measures are in place
to limit the liability of the company and ensure that information does
not end up in the wrong hands.
In this article we will focus on email and the typical use in
business. I will cover some of the issues with email systems in use
today and we will go over some of the ways in which you may be able to
protect your company from costly mistakes.
In this article I will focus in on 5 key areas:
1. Verification of Identity
2. Encryption
3. Storage for Auditing Purposes
4. Misdirected Email
5. Detection of the Insider Threat
Verification of Identity
It goes without saying that you should go without saying that when
you leave your workstation you should ensure that you lock it with a
password. Often times when performing security audits we note upwards of
over half of the employees in the organization fail to perform this
simple step to ensure that nobody can look at your email or see what
documents and other sensitive information that you may have open that
they may not have a requirement to see or read. What is to stop someone
from sending an email on your behalf? What is to stop them from deleting
the message from your sent folder and deleting your trash? If this were
to occur at your organization could you recover the sent message if
there were a legal issue or requirement to do so?
We seriously doubt it
as we have only seen a handful of companies in the 20 years we have been
doing security auditing that actually could reproduce the sent email
message after it was deleted from the senders mailbox. You remember the
IRS scandal that has been all over the news. Lois Lerner claimed that
she had a hard drive crash and that the IRS could not recover her email
messages. This brought about many hours of Senate inquiries,
investigations and it's still in the news today. The problem here is two
fold.
Due to sunshine laws and other Federal regulations public officials
must maintain records of their email for a period usually of 2 years at
minimum. The IRS claimed that the backups were unavailable at first and
then claimed that they did not exist even though there are rules and
laws that require this information to be archived. We will use this
example in this section to talk about some of the reasons having access
to old email is critical for businesses.
What were to happen if an employee were to accidentally delete a
contract received through email. The person that executed the contract
has a copy of the contract but your only copy was deleted accidentally.
Then as part of the services being provided said second party cannot
produce the contract that was executed. An unethical company may alter
their copy of the contract to include terms different than the original
but if you cannot produce the contract it may be hard to prove that the
terms of the contract have been modified so you are putting your
companies assets and resources at risk because an employee made a simple
error.
What would happen if a threatening email was sent out of your
organization to a third party and the action was reported to law
enforcement. Do you have a definitive way to ensure that the sender was
the actual person that sent the message? If the message was a spoofed
email do you have proof that the employee was not the source of the
message? Do you have a written policy that is signed stating that the
employee will be responsible for the use of your email infrastructure
solely? Do you have a disclaimer on your email messages stating that the
organization may not hold the same views as the sender? Just a few
things to think about.
Partial Solution: Smart card email authentication is a very good way
to verify the sender is who they claim to be. Two factor authentication
will prevent the unauthorized sending and unauthorized reception of
email not intended for the intended individual.
Encryption:
Encryption is a good tool for maintaining organizational security.
The use of encryption can prevent unauthorized access to information in
the event that a laptop is stolen or a communication is intercepted. It
can also be used to verify the identity of the sender and receiver. When
using encryption however the organization MUST maintain the master key
to be able to decrypt any communications in the event of a court order
or legal requirement. Encryption of email allows you to ensure that
messages are not being intercepted in transit and also ensure that only
persons with the appropriate keys can decrypt the message. Encryption is
not 100% effective every because there may be remnants of decrypted
messages on a laptop, computer or smart phone depending on the product
being used. Encryption should be viewed as a safeguard and not a final
line of defense. Given enough time and hardware encryption can be
defeated rather easily with the advent of powerful GPU cards that are
not all that expensive today.
Storage for Auditing Purposes:
It should be said first off that in business things happen. Too often
businesses are in a reactive mode when it comes to liabilities and
security and they only become proactive when it could cost them
reputation points or financially. One common recommendation that we make
to many of our customers is to ensure that you have email archival in
place and verify frequently that messages can be recovered from the
archives.
There are commercial solutions and inexpensive open source programs
designed to intercept and store email in archives for long term
accountability. If you can't confirm or deny that an email originated
from your company you may be in trouble if a problem arises.
What are some of the downsides to the archival of email?
Misdirected Email:
In the event that an address is transposed you must ensure that you
notify the recipient and request that the message be deleted. Keep in
mind that you have lost control of the information in the email and it
could now be shared out by the untrusted third party. While there is
nothing to prevent that if you keep your email you have proof that you
have notified the recipient and requested that the information be
deleted. If that information shows up down the road as a compromise or
helps a hacker to compromise a system you have done all that you can do.
You have to evaluate the value of the message and take the appropriate
actions to minimize the risk to your organization after you discover
that a message went to the wrong party.
In some instances you may not even realize that it went to the wrong
address so that is why disclaimers on ALL email messages are really
helpful in showing due diligence on the part of the sending
organization. Mistakes happen and email gets misdirected due to typo's,
email accounts not being present on the receiving system (in which case
the postmaster of the receiving organization receives the message in
most cases), DNS errors or many other situations which may be out of
your control.
There may be reporting requirements if there is financial,
confidential or if you are a HIPAA covered entity. Check with your
compliance department to ensure what steps must be taken immediately to
ensure that you are in compliance with State and Federal regulations
even if you think you know what steps must be taken.
Insider Threats:
Every year over 80 Billion USD is lost by US Corporations due to
insider threats that may consist of Corporate Spies, Governments,
Terrorist, Hackers and your Employees. Yes you heard that right. Your
trusted employees are a huge threat to your organization and misuse of
communications systems and email may cost your organization profits,
embarrassment and legal issues. There are many areas of our security
auditing that address the technical aspects of protecting your resources
but it's difficult without the right systems in place to electronically
detect when proprietary information is leaving your company often times
without your knowledge or approval.
Do you allow thumb drives in your company?
Do you allow employees to
print out documents and check to ensure they are accounted for?
Do you
allow personal cell phones in the business and at computer terminals?
Do
you have public printers and faxes in common areas?
These are some of
the warning signs that information may be leaving without your
knowledge. It's easy these days to take a picture of a computer screen
or screenshot and email or upload a document to a cloud provider or
similar service.
Mitigating the Insider Threat: There are some things you can do to
ensure documents, sensitive proprietary information or PHI is not
leaving your organization. Having the right training, technical
controls, monitoring and auditing in place will help to alleviate the
threat but not completely prevent it as nothing is 100% fail safe in the
digital age.
The goal in bringing up these topics is to educate and provide
guidance and assistance to companies that are at a high risk for
disclosures, data breaches or leaks of information by unauthorized
personnel and to provide the training, technical safeguards and training
needed to keep your company in compliance and as secure as possible
without affecting employees ability to do their jobs in an efficient
manner. Security is always a balance between available funding and risk
management and it's a tightrope act to maintain security while not
wasting profits on safeguards that you may not truly need. The only way
to be sure is to have an audit done and assume the risk that you choose
not to secure and document the gaps in such as manner as to show that
you have done as much as you can to prevent possible future disclosures
while realizing that nothing is 100% secure and nobody expects it to be.
You must be able to hold individuals responsible for actions and
minimize your corporate risk when dealing with technology use in the
workplace.
No comments:
Post a Comment